Threat Actors

In this post, we will take a closer look at different threat actors that are out there. I am pretty sure most of us heard certain words such as "Script Kiddies" or "Hacktivists" but never really knew what these terms were supposed to mean. I will try to explain these threat actors to you, the activities they perform, and who usually stands behind these attacks.  

Script Kiddie

A script kiddie is someone who uses a computer and already existing code to launch certain attacks. He is described as having several negative characteristics such as little to no expertise or sophistication in the field. He can perform huge damage by using powerful scripts or programs. There is no age limit, meaning anyone can be considered a script kiddie. It is typically used as an insult to a cybersecurity professional or other programmer since he is not able to come up with his own creation but only uses code that already exists. In general, a script kiddie is someone who lacks the necessary skill set to create his own code to attack his target.

Hacktivist

A hacktivist launches attacks as part of an activist movement or similar causes. His motive is not for his own benefit and his actions are socially or politically motivated.

An example of hacktivism is the infamous Anonymous hacker Deric Lostutter. After several football players of the Steubenville high school in Ohio raped a girl and didn’t face any consequences, Deric Lostutter was upset about the case and the lack of justice. He targeted a school website in an effort to raise awareness of the case and shed light on the two high school football players. Lostutter hacked into a fan website of the local football team that was storing email chats and photos relating to the incident. After exposing the evidence to the public, one high schooler was sentenced to a year in prison and the other high schooler was sentenced to 2 years. Since Lostutter violated the CFAA (Computer Fraud and Abuse Act) to access a computer without authorization, he was sentenced to 2 years in federal prison.

Insider

An insider is anyone who has legitimate access to an organization’s internal resources. It is important to mention that some insiders have more access than others and can therefore do more damage than others. For example, as a simple “user” in a company, you most likely have least privilege, which means you can only access data that you’re supposed to use on a daily basis. However, if you are an admin, you can imagine that you have much more privilege than others since you can access and manage sensitive data. This brings us to a malicious insider. A malicious insider is a serious threat since his motivation is to harm the company and potentially expose the data that is internally used. There is a diverse set of motivations behind this threat actor (e.g disgruntled employee).

Competitors

A competitor is motivated by gaining proprietary information. He is an individual outside of the organization that is committing corporate espionage. In general, it is legal to gather information using open-source tools or gathering information through OSINT. However, the line is crossed in many cases, where illegal activities are being performed in order to gather more information, this can also be done by using insider information or hacking the company. A perfect example is an attack on the Houston Astros database. The St. Louis Cardinals hacked the Houston Astros’ internal database back in 2014. They were able to access the database 48 times over two and a half years.

APT (Advanced Persistent Threat)

APT Groups are typically nation-state or state-sponsored groups that target attacks against a network. They launch APT attacks and have significant resources and funding, mostly from a specific nation-state or government.APT is a prolonged attack against a very specific target. This means that it is a long-term operation designed to gather as much valuable data as possible without being discovered. Mandiant (now acquired by FireEye) released an APT1 report that exposed Unit 61398 of the People’s Liberation Army inside China.

The report included the following:
• Estimated over 1,000 servers
• Dozens or hundreds of operators
• Released at least 40 different families of malware
• Stolen hundreds of terabytes of data from at least 141 organizations
• Maintained access for over four years to some victims
• Used malicious files that were sent/opened via email and provided back door remote access.

Here is a link that includes the current APT Groups: https://content.fireeye.com/apt-41/website-apt-groups